The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its focus to corporate Human Resources (HR) departments with a highly targeted spear-phishing operation.
According to research by Arctic Wolf Labs, the group is leveraging legitimate job platforms and messaging services to send fraudulent job applications laced with malicious resumes.
These deceptive documents are designed to deploy a potent backdoor known as More_eggs, capable of credential theft, harvesting sensitive customer payment data, and stealing intellectual property or trade secrets.
.png
)
This tactical pivot to HR targeting broadens Venom Spider’s potential victim pool, as every industry relies on hiring new talent, making this campaign a significant threat to organizations worldwide.
Technical Breakdown of the More_eggs Attack Chain
The attack begins with a spear-phishing email directed at HR managers and recruiters, containing a link to a malicious website posing as a resume download page.
Once clicked, the link leads to an actor-controlled site where victims must pass a CAPTCHA test-a clever mechanism to evade automated scanners.
Upon completion, a ZIP file is downloaded, containing a decoy image and a malicious Windows shortcut (.LNK) file.
This .LNK file, generated uniquely for each download via server-side polymorphism, embeds an obfuscated batch script that manipulates legitimate Windows utilities like ie4uinit.exe to execute commands covertly.
This living-off-the-land (LOTL) technique helps bypass detection while launching distracting applications like WordPad to mislead users into believing they are opening a genuine resume.
Subsequent stages involve downloading obfuscated JavaScript payloads from domains such as doefstf[.]ryanberardi[.]com, which then deploy the More_eggs_Dropper library-a dynamic-link library (DLL) registered via regsvr32.
This library generates polymorphic JavaScript code with time-delayed execution to thwart sandbox analysis, creating additional malicious files in the victim’s AppData directory.
The final More_eggs backdoor payload employs advanced encryption with device-specific keys (combining computer name and processor identifier) and brute-forced decryption components, ensuring that payloads are uniquely tailored to each infected system.
Once active, the backdoor establishes persistent command-and-control (C2) communication with servers like tool[.]municipiodechepo[.]org, enabling threat actors to execute remote commands, download additional malware, and exfiltrate sensitive data.
This campaign showcases Venom Spider’s refined tactics, including enhanced code obfuscation, encrypted payloads, and decentralized cloud-hosted infrastructure on platforms like Amazon and GoDaddy, making tracking and mitigation challenging.
Historically targeting e-commerce sectors in the U.S., such as retail and pharmacy, the group’s focus on HR exploits a universal vulnerability-recruiters’ routine handling of external attachments.
According to the Report, Arctic Wolf recommends that organizations bolster defenses through employee training on phishing red flags, deploy Secure Email Gateways, and implement Endpoint Detection and Response (EDR) solutions.
Additionally, inspecting suspicious file properties before opening and blocking known C2 domains are critical steps to counter this threat.
As Venom Spider continues to evolve its More_eggs malware, vigilance and proactive cybersecurity measures remain essential to safeguard against these insidious social engineering attacks.
Indicators of Compromise (IOCs)
| Artifact/File | MD5 | SHA-256 | Description |
|---|---|---|---|
| More_eggs_Dropper DLL | EC103191C61E4C5E55282F4FFB188156 | F7A405795F11421F0996BE0D0A12DA743CC5AAF65F79E0B063BE6965C8FB8016 | Primary polymorphic dropper |
| ikskck.htm (2nd stage infection) | C16AA3276E4BCBBE212D5182DE12C2B7 | BD49B2DB669F920D96008047A81E847BA5C2FD12F55CFCC0BB2B11F475CDF76F | HTML/JS loader |
| More_eggs_JS_BackDoor | EBB5FB96BF2D8DA2D9F0F6577766B9F1 | 2FEF6C59FBF16504DB9790FCC6759938E2886148FC8ACAB84DBD4F1292875C6C | JavaScript backdoor |
| 2DA2F53FFD9969AA8004D0E1060D2ED1 | 0AF266246C905431E9982DEAB4AD38AAA63D33A725FF7F7675EB23DD75CA4D83 | “ | |
| 17158538B95777541D90754744F41F58 | F873352564A6BD6BD162F07EB9F7A137671054F7EF6E71D89A1398FB237C7A7B | “ | |
| 46F142198EEeadc30c0b4ddfbf0b3ffd | 184788267738DFA09C82462821B1363DBEC1191D843DA5B7392EE3ADD19B06FB | “ | |
| B1E8602E283BBDF52DF642DD460A2A2 | CCB05CA9250093479A6A23C0C4D2C587C843974F229929CD3A8ACD109424700D | “ | |
| File Paths | – | – | C:\Users%username%\AppData\Roaming\Adobe$$various] |
| Network Indicators | – | – | hxxp://doefstf[.]ryanberardi[.]com/ikskck |
| hxxps://tool[.]municipiodechepo[.]org/id/243149 | |||
| hxxp://dtde[.]ryanberardi[.]com/ikskck | |||
| See attached file for additional domains |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
